Security is a Process...Not a State (Revisited)

It is second nature to security professionals that security is a process and not a state. However, many of us overlook the implications of this fact in regard to data security. Let's consider the implications now.The breach of sensitive information is different than a breach of security in regard to physical items. For example, when a laptop is stolen it is no longer available for use. In contrast, when data is stolen it is often the case that an instance (a copy) of that data is in the possession of an unauthorized person. However, the original data is probably still available to the owner. There are many implications resulting from this difference. Security professionals discuss this in terms of operational risk versus organizational risk. The actual loss of data derives not from the theft itself, but from the litigation and bad press the results. The risk applies to brand and shareholder value. It is for this reason that the process of security trumps the actual state of security at any one time. A formal program of security, even if it is a low-budget, understated program, is imperative for most companies today. If the loss results from bad press and litigation then the defense is the ability to demonstrate a reasonable standard of care was being provided. This is best demonstrated by producing a written plan, evidence of effective management with third party oversight and evidence of the progress being made on the plan. Formalizing the security process does not need to be burdensome or costly, and as a risk mitigation measure, it is almost instantaneous in its effect and unassailable in its cost effectiveness.

The Virtual Perimeter in the Age of Convergence

Security is essentially the ancient art of protecting the perimeter. Sometimes ancient, and even recent-day, technologies cannot adequately protect the actual exterior perimeter. For such instances, we recommend establishing a virtual perimeter inside the exterior one. This virtual perimeter is created by delineating a line of pixels in the image of one or more digital cameras. This line of pixels can form the interior, virtual perimeter. The cameras feed the video signal to a server performing analysis of the video images. The server is looking for specific objects in the images that have certain attributes associated with humans, such as a neck and shoulders. When such objects appear near the virtual perimeter and approach that perimeter, the server issues an alert to the security force. A guard carries a handheld device which displays the object and tracks its movement as the guard approaches the intruder.

This solution requires technical sophistication to design and deploy, but it is a perfect example of a security solution that is available as a result of the convergence of certain technologies.

Beyond Convergence

I get dozens of emails each week on "convergence." I gave the keynote address at Security Summit 2007 in Los Angeles and the title of the Summit was: Convergence: The Next Horizon. It is safe to say that convergence is the number one topic in the security field. The industry is experiencing a major transformation. However, the focus on convergence is misplaced. I believe it derives from the perspective that as security devices become network peripherals, security professionals are focused on the point of convergence. The problem with this focus, is that it results in under achieving. Such a focus leads to security devices operating on Ethernet networks and doing providing the same functions as those same devices provided previously, when they were standalone electronic systems. I encourage all security systems manufacturers and integrators to look beyond convergence. This longer-range focus changes the objective from gain equivalent functionality to engineering the network, which means optimizing it, to protect people, facilities, data and prevent fraud. Looking beyond convergence helps expand the context to achieve a higher level of protection by using the benefits that become available through convergence.

Please let me know your thoughts on this topic.

Industry Report Points to Ollivier Corporation

Ray Bernard is an industry analyst who I have known for about four years. When I was new to the security industry, he was one of the first security consultants whose eyes lit up when he and I talked about the integration of physical and data security. He has gone on to create an incisive new report on the industry.

He talks about such projects as the national retailer (over 300,000 employees) deploying 150,000 IP cameras globally, as an incremental addition to their global deployment of IP Telephony. IP Telephony (VoIP) replaces analog phones and connect directly to a network, getting both power and communication connectivity over Ethernet-based networks.

Very few discussions of convergence in the security industry use "installation" as an example. Ray does in his report. He talks about the installer preparing the IP-based cameras in the same manner as IP-based phones. Both are put in similar boxes, prior to distributing to regional offices, with the same information barcodes on the boxes and with network cable location numbers. A swipe of the computerized barcode scanner displays exactly where a phone or camera is to go along with other installation information. This enables an integrator to reduce the typical per-camera installation time from 3 hours to 30 minutes. This is a classic IT application.

Ray then points out that Ollivier Corporation is using common IT installation strategies for its security deployments. He reports that customers want the benefit of IT expertise from their security integrator and that Ollivier Corporation is way out in front of other physical security integrators. I encourage you to learn more about Mr. Bernard's industry report.

Guards, Dogs and Technology

I am still surprised how the discussion of balancing a guard force and technology-based security systems is seldom discussed. It seems as though the discussions of how to deploy each of these is done in isolation of the other. Here are some of my thoughts. Now that security devices, such as cameras and access control readers are peripherals on the network, they are much more intelligent than just a couple of years ago. They are especially intelligent if the network is engineered to take advantage of communication between the devices and with the data available on the network. It is this communication that enables Eye on Cash, GPS Logon, Virtual Perimeters, Virtual Mantrap, CRM Secure and other solutions developed by Ollivier Corporation to be available at low cost in today's market.

As intelligent as these solutions are, they still require the judgment provided by a competent guard force. These solutions sort through hundreds of events to create alerts and alarms that are rendered important or meaningless by the guard force. The guard force is the comprised of first responders. What this means is that the guard force's value and contribution is significantly increased by relegating monitoring and surveillance to devices. I have been told by guard service organizations that they make more money deploying intelligent guards to monitor and assess the output of computer-based security systems than they do selling low-paid guards.

Meshing Surveillance

I am working with residential building owners in a very high crime area of Los Angeles. We intend to cover the entire 5 square mile area with IP-based surveillance cameras. The trick is that each of the buildings in this area is owned by individuals, acting in a loose confederation as property owners. They require high quality cameras because the ambient lighting will vary dramatically and a high level of visual acuity will assist in making proper identifications.

While the cameras must be high quality the infrastructure must be low cost, yet tie each camera into the network.

New mesh network technology dramatically reduces the cost and planning required to improve infrastructure and therefore creates a platform for higher functioning cameras. This configuration is working well in a few cities and we hope to apply it to our situation in Los Angeles. If you have any comments, please contact me at joelrakow@olliviercorp.com.

Security is a Process...Not a State

It is second nature to most of us that security is a process and not a state. However, many of us overlook the implications of this fact in regard to data security. Let's consider the implications now.

The breach of sensitive information is different than a breach of security in regard to physical items and is discussed more than once in previous postings on this blog. The actual loss derives not from the breach, but from the litigation and bad press the results. The risk applies to brand and shareholder value. It is for this reason that the process of security must be formalized. If the loss results from bad press and litigation then the defense is the ability to demonstrate the a reasonable standard of care was being provided. This is best demonstrated by producing a written plan, evidence of effective management with third party oversight and evidence of the progress being made on the plan.

Formalizing the security process does not need to be burdensome or costly, and as a risk mitigation measure, it is almost instantaneous in its effect and unassailable in its cost effectiveness.

Access Control Moving to IT?

Two years ago, physical security appeared to be the sole domain of the traditional security organization. Maybe it is me, but it seems that in small and large organizations alike, I am seeing the IT organization as the prime mover in access control... and often surveillance. In the just the last week, I have visited a hosting company for 40,000 realtors, the company responsible for 80% of all transmissions of digital cinema films and one of the oldest large residential communities in Los Angeles.

In each case, the Technology Director, the Network Administrator or Facilities Technician (in the IT department) has been the primary point of contact. Two of these companies are part of very large organizations that have traditional security, yet it is as though they do not exist. What does this mean?

It seems to be the beginning of a trend. It seems to me that while the physical security professionals get comfortable with the concept of convergence, the IT professionals are filling the void of indecision. In my opinion, all that has to happen for physical security to re-establish its rightful place is to understand that IT wants to be the custodian of the access control system and they want security to be the owner of the data. This can be an easy arrangement to negotiate and one that serves both professional communities.